By Mike S
We security folks have long preached and rightly so the virtues of a “complex” password. By increasing the size of the alphabet and the length of the password, we increase the work the bad guys must do to guess or crack the passwords. We’ve gotten in the habit of telling users that a “good” password consists of [lower case, upper case, digits, special characters] choose 3. Unfortunately, if that is all the guidance we give, users being human and, by nature, somewhat lazy will apply those rules in the easiest way.
By Mike S
In a Salt Lake Tribune article, reporter Patty Henetz quoted Utah Department of Health spokesman Tom Hudachko, who said that in this particular incident, a configuration error occurred at the level where passwords are entered, allowing the hacker to invade the security system. Technology Services has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.
Michael Hales, the Health Department’s Medicaid Director, said, “It just looks like processes broke down,” according to the Tribune.
This sounds like a weaselly way of admitting that the default passwords were not changed. Default passwords are the easiest way into any system!
By Mike S
Anonymous again demonstrates the importance of strong passwords:
Along with the release of these e-mails, Anonymous also exposed the passwords of 78 accounts on the Ministry’s servers. Of the passwords revealed, 31 were “12345″ and a number were minor variations on that. Some of the other passwords in the set included:
By Mike S
Just before the holiday weekend, as their final act of defiance in 2011, AntiSec supporters published nearly a million records taken during the Christmas Eve attack on Strategic Forecasting Inc. The Tech Herald has examined the list of 860,160 passwords hashes that were leaked, and the results of our tests were both expected and pitiful.
We’re sorry to report that the state of password management and creation is still living in the Dark Ages.
The first half of the report describes their methodology, and the latter half describes the passwords they’ve cracked.
Do your employees or customers use passwords like these? How do you know?
By Mike S
It’s funny, because it’s true.
When I was an IT admin, I had the pleasure of dealing often with people who would submit urgent service requests and then leave for the day, leaving their office empty and computer locked by the time I could get there to help. Fortunately, I was often able to fix their problem while they weren’t there. Why? Their password was somewhere on their desk in one of these easy-to-find locations.
By Mike S
Something to be aware of:
A security researcher has discovered that changes to Directory Services in Lion make it much easier to access and potentially crack hashed user passwords. Worse yet, it is possible for any user to change any currently logged in user’s password, making it much easier to gain root remotely.
By Mike S
So again: Palin’s AOL account was hacked because it used publicly-known answers for password-retrieval questions, a common/known exploit exposed users on O’Reilly’s site, and password-reuse by users exposed their other personal accounts.
On September 19, 2008, hackers from the Anonymous collective attacked the website of Fox News host Bill O’Reilly. The hackers found and immediately posted e-mail addresses, passwords, and physical addresses of 205 O’Reilly site members paying $5 a month to hear Bill’s wisdom. The next day, a distributed denial of service (DDoS) attack hit the site with 5,000 packets per second. That night, another attack flooded two O’Reilly servers with 1.5GB/s of data.
The attack itself wasn’t particularly clever, but it was effective. Billoreilly.com’s administrative interface was protected by a servlet that locked down access to all back-end material, but the site administrator made one small mistake: he once created a “New premium member report” showing a list of the most recent subscribers, and he created it in such a way that it bypassed the servlet. As later FBI interview notes show, this was “just an error”—but it made the new member report available outside the secure admin structure to someone who knew the location.
The attackers took the name at the top of the list, an account registered only one hour before, and used it to log into the O’Reilly site as a check of the data’s accuracy. The information was then posted to Wikileaks and discussed on 4chan. Three O’Reilly members who had used the same password on multiple other sites experienced additional fraudulent use of that information.
The article doesn’t differentiate whether the portion of Bill’s site that was hacked contained cardholder data, so I don’t know if this will be considered a breach meriting PCI DSS penalties. But it’d be quite embarrassing for Bill if his site now has to post the ”We’ve been hacked!” banner.
By Mike S
Despite repeated reminders to select strong passwords and not to reuse them across Websites and services, online users continue to be frighteningly lax in their password security, according to a recent analysis of leaked passwords.
Software architect and security researcher Troy Hunt analyzed the torrent of files released by LulzSec shortly after the group hacked Sony Pictures and Sony BMG Music and the password lists that another hacker group, Gnosis, leaked in December after hacking Gawker’s commenting database. According to Hunt’s analysis, 88 people were in both data sets with the same email address, and 67 percent of them used the same password.
Admittedly, 88 people is a very small number, considering there were 37,608 accounts in the Sony files and more than 188,000 accounts from Gawker. However, the two sites are pretty independent in terms of the kinds of users they attract, Hunt noted. For skeptics who may not consider this significant, Hunt identified “well over” 2,000 users who had accounts with both Sony Pictures and Sony BMG using the same email address. Hunt found 92 percent of the users had the same password across both accounts.
Based on these findings, it’s reasonable to assume many of these user-name or email combinations with the password could turn out to be the “key” to access other Gmail, eBay and Facebook accounts. “There’s a statistically good chance that the majority of them will work with other Websites,” Hunt said.
Most people either don’t care, or are happily oblivious to the risks of credential re-use.
During new account registration, a strong web-app could probe other sites and services to see if those credentials are being used at, for instance, Hotmail, Gmail, Facebook, and so on, and reject re-used credentials.
And then encrypt the heck out of anything it does keep and store.
By Mike S
This was just plain bad planning:
Just two days after the PlayStation Network was restored after a near month-long outage, the PSN password page has apparently been exploited. According to reports, the exploit allows other users to reset your account password using only your e-mail address and date of birth. This personal data was made available to hackers during the initial PSN attack.
It makes sense that someone could change their own password easily when logged into their account. But when using a “I forgot my password” link, there should be more verification of identity than simply guessing a number and an e-mail address.